FROM McANDREWS, HELD, & MALLOY 



(TUE) 7. 26' 05 16 :45/ST. 16 :43/N0. 4861050007 P 5 



02, UK Patent Application <,9,GB o„ 2 121 569 A 



(21) Appflc:atfonN{>B312834 
122) Date offtlmg 10 May Idas 

(30) Priorit/data 

(31) 377413 

(32) 12 May 1982 

(33) UnHedStatasof Amflrfca 
(US) 

(43) Application publfshed 

21 Dm 1983 
(511 iNTCL' 

G06F IS/44 
(52) Domestic Classification 

C4A13£ naAP 

G4H13D14A1ATG 
(56) DocumenkA cited 

EPA 0033833 

ePA00D5179 

US 4168871 
(68) Held or search 

G4A 

(71) ApplTcants 

Bally Manufacturing 

(USA-Illinois). 
2640 We9t Belmom 
Avenutr 
Chicago, 

StBteoflUinois $0618, 

UnftBd States of America. 
(72] Inventor? 

Martin Anthony Keane 
(74) Agent and'Or Address for 

Service 

Svtilt Wads andTannant 
27 FUmiva] Street* 
London. EC4A IPO. 



(54) System guarantdeirtgintsgifty^ 
a gambling system 

(57) Data and associated validation tn- 
formation stored in a nonsecure loce> 
tlon are verified as to integrity by 
cryptograph techniques. Verfflcatlon 
activates a gambling system to operate 
in a gamblei^responafve mode, and 
non-veriffcation activates an alami 
mode. The system ia used in postal 
metering, electronic mail, electronic 
funds transfer and other source data 



processing systems. T7ie validation In- 
formation is formed by deriving a first 
value from the data according to a first 
relationship, and then deriving the vali- 
dation Information from the fJrel value 
by means of a nonpublic derivation 
having an Inverse fu notion. The valida- 
tion word IS then associated with the 
data and stored in the nonsecure par* 
tion. Verification (s accomplished by 
deriving 430 a first value from the data 

(57) continued over1edf„. 




COMtaiuT^ DP tJOhd^Sgj^LQO ROAA As 



OONipOte IMTeC-ER VA|_L»e.f*(R> for AeiAAirJiMb- 



'^VAWlMTlOM UloROW &AS&OOM PUauC 



3^ 



MLAVSR-*40H'RCSf*OMnve 




yes 



Pieom SCA-wRe SEALED 
ROM 




Q 
CD 

ro 

lO 

01 
CD 



This spec'fficatiori as filed includes a computer progrem which is not here rBpn>duoed, 

POOR OUALIXy. 

PAGE 5(18* RCVD AT 712812005 5:43:29 PM [Eastern Daylight Time] * SVR:USPTO{FXRF-6/24 * DNIS:2738300' CSID:31270791S5* DURATION (inm-ss):05^ 



BEST AVAILABLE COPY 



FROM McANDREWS, HELD, & MALLOY 



(TUE) 7. 26' 05 16:45/ST. 16:43/N0. 4861050007 P 6 



T 



by the first relationship, and deriving 
450 a second value from the validation 
Infomnatlon by means of the Inverse 
function* The first and second values 
Are opera lively related 4iGQ to determine 
system integrity. All relationships are 
one way functions, m a preferred embo- 
diment. In a preferred embodiment^ the 
ftrst and inverse second relationships* 
are public and the second relationship 
15 secret 
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SPECIFICATION 

A system and method for guaianteelng the Integrity of a gambllnji system 

5 This invention relates to secure systems, such as gambling apparatus, and more particuJariy taa system for g 
guaranteeing the integrity of information content in the secure system^ such as the oontroJ program of 
gambling apparatus. 

Iris often the case in electronic gambling systems that a microprocessor electronics based gambling 
system can be customized for different types of play by changing o memory device inuch aa en EPROM) or 

10 by changing the memory device contents {such as by remotely downloading data into a read-wn'te memory ^ q 
{RAM or ePROM). How«vvr, it qvrrc^ntly th© practtcsof some ytate gambling commissions, such as New 
Jersey, U»S.A, to require a seal be applied to all circuitry on each circuit board (including the EPROM or RAMJ 
as part of the certification process. Thus, Inventories must be maintained of the sealed boards for each of a 
plurality of machines^ both in manufacturing output and maintalmng a repair stockpile. This approach ia 

15 both costly and jnt^fncient. Inasmuch as many machines have a common nucleus and utilize the same circuit ^ g 
board with a different control memory pragram for each of a plurality of games being selected by 
interchanging a memory device or its contents. 

Although tht5 approach Is costly and cumben^ome, there haa heretofore been no alternaUve technique 
provided to perform the important function of guaranteeing the integrity of the gambling machirfes, 

20 In accordance with one aspect of the present invantion, a system is provided wherein data and associated 20 
validation information stored In a nonsecure location are verified as to integrity by cryptographic techniques. 
Good integrity verifies tie n activates the system to operate In a ftrst mode, and bad integrity verification 
aptivates theey&tem to operate in a second mode. In a prefemad embodiment, th« syatem 19 a gambling 
system, with a first mode corresponding to user responsive operation and the second mode cornesponding 

25 to an alarm mode. Other systems where ti>e present invention would be useful include postal rr>etering, 26 
electronic mail electronic funds transfer and other secure data processing systems* 

In accordance with another aspect of the present invenfion, the system has an interface port for 
communicating with an external device, such as a central control computer- Data and associated validation 
informaiion are loaded into memor/ in the nonsecure locatlon, and the system verifies the Integrity of the 

00 data and associated validation information as stored in the memory by cryptographic techniques oparativeiy 30 
relating the data to the associated validation wordr The system is activated to either a first or second 
operative mode responsfve to a verification result of good or bad integrity, raspectrvaly. 

For example, a central computer could download information to one or a plurality of remotely located 
systems which would each verify the Integrity of the Information received and stored In Its respecdve 

35 memory. Where the remotely tocated systems are gambling systems, the downloaded information can be 35 
odds, control programs, random number seads, etc. 

In accordance with one of the illustrated embodiments of the present Inverttfon, a gambling apparatus is 
disclosed having a securs portion which Is certified and sealed by the Gaming Commlsfiion, and having 
nonsecure portion, not sealed by the Gaming Commission, the integrity of which ts verified by the secure 

40 portion. The secure portion of the gambling apparatus comprises a circuit board having a central processor 40 
and a first memory. The nonsecure portion of the gambling apparatus Is comprised of a second portion of 
the circuit board, or an independent circuit board, having a second memory such as a nonsecure ROM, 
EPROM, or read-write memory (RAIVl), Utilizing cryptographic techniques, the imegrfty of the nonsecure 
portion of the system is verified by the secure portion of the system. 

45 The gambling system Is operable in three modes, and powers up In a test mode for verifying the integrity 45 
of the gambling system. Where a positive verification is made thatthe nonsecure memory (e.g. ROM) has 
satisfactory integrity, the system h activated to an operable mode responsive to player user control inputs. 
Alternativelv, where the results of ttie test mode Jsa negath/e verification ahowing the nonsecure memory 
does not have good integrity, and gambling system is forced to an Inoperable mode nonresponsive to player 

50 user control inputs, and an alarm is activated. 50 
The nonsecure portion of the circuit board, the fntsgrity of which Is cry ptog rap hi cally detectable, has a first 
nonvolatile memory (such as a ROM, PROM, EPROM or EEPROM nonvolatjie memory or a read-write (RAM) 
volatile memory) having a validation word stored therein, the validation word toeing derived from the first 
memory contents according to a first relationship. The validation word is formed by deriving a fir^t value 

55 from the first memory's contents. The validation word is then derived from the fir«t value by means of a 55 
nonpublic derivation having an Inverse functfdn. Tha validation word is then combined to form a part of the 
contents of the firm memory. 

The secure portion of the cfrcirit board has a processor and a second nonvolatile memory mounted 
thereon. The integrity of the secure portion is overt and detectable, such as by physical seal. Thesecure 

6Q portion of the board includes means for deriving a second value from the validation word of the first memory 
means of the Inverse function. The secure portion also Includes means for comparing the first and second 
values, and means for verifying the Integrity of the second memory. The verification means activates the 
gaming system to the user reponsive play mode responsive to a comparison result of equality, or activates 
tha gaming sysremto the user nonresponsive (alarm) mode responsive to a comparison result of Inequality. 

g5 The relation ship for deriving the first value, the nonpublic relationship, and the inverse relationship of the es 
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non-publio relationship, ace sudn that interrelating or cross derfvlng ppe to another h very complex and an 
extremely difficult and li me consuming taak- In a preferred embodiment, the encryption function Is secret 
and the Inversefunction fs public 

A better understand tng of the invention may be had from the following detailed examples^ the detailed 
5 description being taken in conjunction with the accompanying drawings In which: g 

ftffure 7 is a perspective view of a gaming system such as a video slot gambling machine. Illustrating one 
apparatus which can utilize the present Invention; 

FfgutaZXt a top view showing one embodiment of a circuit board as contained In tht# gaming system of 
Figure 1 having e secure portion and a nonsecure portion: 
1 0 Hgure 3 Is a flow chart illustratlngona embodiment of the encryption method utilized In accordance with ^ q 
one embodiment of the present invention; 

Figure 4 Is a flow chart of the decryption/test method as utilized In accordance with one embodiment of the 
present invention; and 

Figure 6A*D are computer program listings for one embodiment of the present inention. 
IS Referring now to Rgure 1, a g aming system ib shown illustrative of one embodiment of the present 
Invemfon. A housing 100 Is provided which contains the necessary human player control Interfaces as well 
as electronic circuitry and mechanical circuitry. Human player control Inputs are provided, such as push 
buttons 110 $nd control handle 120. A viewing area, 130 such as video screen is provided on tho front of the 
cabinet housing 100 for player viewing of the gaming machine response to player inputs. Coin shoots 140 
20 are provided for accepting player coins and returning bent coins. The number of credits which the player has 20 
as well as the active game display are provided on the visual display means 130. For example, the gaming 
system of Figure 1 can be a siot machine gambling system having 3,4^ or any number of reels, or may 
alternatively be any other type of gaming or gambling system. Where applicable, a pay out shoot 146 may be 
provided for outpunlng coins 10 winning players* 
25 The housing 1Q0 also contains an electronic circuit board 200, as shown in Rgure 2, which provides the 25 
control and game electronic circuitry necessary to create the desired gambling system in conjunction with 
the video display 1 30 and user Interface controls 1 1 0 and 1 20. Additionally, the housing 1 00 contains 
necessary power jupplles, limit svvltchea, etc. necessary to Implement the remainder of the desired gaming 
system i 

30 Referring to Figure 2, the circuit board 200 as discussed with reference to Figure 1 1s shown in block 3^ 
diagram form. The circuit board 200 may be comprised of a single circuit board or of a plurality of circuit 
boards with appropriate interconnections provided* The circuit board 200 is comprised of two functionally 
separate unfts, a seeled secured portion 210 and a nonsealed, nonsecure circuit portion 250. The sealed 
circuit board portion 210, as illustrated, contains a microprocessor 220, a readonly memory (such as a ROM, 

3^ PHQM, or BPROM). and miscellaneous eiectronic and electromechanical circuitry 240. The sealed portion of 35 
the circuit board 210 repreeente the sealed portion of the gaming eystemtn a physical sealing manner which 
would comply with a particular State Qamlng Commission's requirements. 

The nonsealed portion of the circuit board, 250, contains en interconnsction socket 260 for a memory 
device, (e.g, for a ftAM, ROM. PROM, or EPBOM)> Whan the eocket 260 provides Interconrtection for a 

40 read-write memory, RAM or EPROM, the data contents of the read-write memory can t>e downloaded into 4Q 
: the read-write memory. For example, a control program can be down-loaded from a remote ^e Into the 
read-v^ite memory of a local gambling system via an biterface port 270 (Figure 2} of the local gambling 
system and the downloaded program verified by the secure portion of the circuit board in accordance with 
the teachings of the present Invention. Multiple gambling systems can be configured to meet crowd 

45 selection patterns by specifying control programs either locally or remotely for each system. The systems 45 
can efso be selectiveiy forced inoperatrva by downloading appropriate control programs. This portion of the 
circuit board Is nor physically sealed, and ttius the memory Inserted into the ROM eockst 2S0 o^n easily be 
changed or interchanged . While this ts desirable from the view point of minimizing sper« parts stock piling 
and maximizing manufactun'ng flexibility, the nonsealed socket does pose security risks and problems. 

50 However, in accordance with the present invention, CTyptographic techniques are utilized to verify the 50 
imegrfty of the nonsecure portion of the cfrcuh board, 250, via mearts of cryptographic processing by the 
secure portion of the circuit board. 210. The microprocessor 220 may be of any type« with its selection being 
made based upon desired operating speed, instruction set capabilities, and cost considerations. In addition, 
the micro proceesor 320 may be compriaad of a plurality of drcuits Including a general purpose 

55 microprocessor (of a 4.8, 16, 32, etc bits register length), In cottjunctlon with special purpose peripheral 55 
processors and interface chips, such as number crunchers, fast Fourter processors, fast multipliers, etc. 

Referring to Figures Sand 4, the methodology utilized to accomplish the invention of the Illustrated 
embodlmemscan ba more readily understood by refeiBnoe to the encryption (Figure 3) and decryption 
(Figure 4) flow charts. 

60 Rflferring to Figure 3, the encryption process Utilized for creating a verlflably secure memory for insertion go 
into the nonsealed socket 260 (of Figure 2) is illustrated in flow Chan form. The procedure stars at sicd 300. 
Proceeding at step 310 the last N bytes of the nonsecure memory are designated as a validation word W and 
reserved from the remaining contents jf the nonsecure memory which is designed as the vector R. A control 
program which has been developeO is loaded into the encryption systemK memory and de8ign.-itRd aa tlv» 

65 contents of the nonsealed and nonsecure memory (the vertor R)^ The validation v-rord w is as yet undef»ned, 65 
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but will represent the encrypted key to Injure the mt^grity of the remainder of the contents of the memory 
Proceeding to step 320 an integer value RRJ is computed from the vector R by means of a one way public ' 
function F F Is a one way function mapping R Into an integer whos» magnrtude fs comparable to that of one 
! . .^"^ be one to one, but should be such that changing R while leaving FiR) unchanged is a 

5 d fficult task. The function F is a public mncilon In that it Is also utlGzed In the encryption process and may be 
discovered or known by members of the public. 

Proceeding to step 330, a validation word W is computed from the value HR) by means of a secret function 
D which maps words into words with an tnvoreefuncUon E which is a public encryption function. Thus W « 
D(F(RJ), and E(D) = 1. Thus, when the function E Is utflteed in the encryption process, E <W) should equal RR) 
10 only wheri the contents of the memory (the vector Rand the validation word W) has not been tampered with, 
TTius, the Integrity of the contents of the nonsealed nonsecure memory can be verffled 

Proceedina to step 340, the validation word W is placed in the nr»emory locations which had been set aside 
as the last N bytes of the nonsealed memory. At this point the encryption procea has end^d as evidenced at 
step 350. The contents of the nonsealed memory (vector R) plua the vaJidation word (appropriately located in 
15 the lost N bytes) can be committed to the nonsecure and nonsealed memory (e.g. ROM, EPROM, RAM), 
For further details on one way mapping functions, and public key cyrptography concepts, reference is 
madeto the literature In general, such as "A Method for Obtaining Digital Signatures and Public Key 
Cryptocism Systems", by R.L Rivest et al, as published in the February, 1978, Volume 21. Number 2 issue of 
the Communications of the ACM, at pages 120-120, hereby incorporated herein by reference. A second 
20 reference, "The Mathematics of Public ICey Cryptograph/^ by Martin g. HoIlmBn, published in Scientific 
American, pages 146-157, 19, deals generally wtfth the mathematics involved in public key cryptography, and 
IS hereby incorporeted herein by reference. Both of the aforementionad refurences deal with the general 
problem of secure electronics communication system, aither for message transfer, or for funds transfer. The 
referunces address themselves to techniques to prevent tampering with new electronic communication 
^ systems and fund transfer systems and means to protect the vast quantities of private Information such as 25 
credit records and medical history stored in computer data banks. Encryption and decryp- tion are utilized for 
transforming information so that it is unintBlligible and therefore useless to those who are not meant to have 
access to It Secondly, cryptographic techniques are utilised to insure that messages sent have not been 
tampered with, of critical concern in electronic funds transfer, 
30 • Referring to Rgura 4, the decryption process Is llluatrated in flow chart fbrm. Illustrating one embodiment 30 
of the prtfaent invention. The process flow starts when the gambling system of Bgure 1 1s powered up, at 
step 400. The process proceeds to step 41 0 where tho system is set to the test mode, wherein the system is 
nonresponsive to players control Inputs. The contents of the nonsealed portion of the circuit board are 
examined by the secure seafad portion of tho circuit board, by dHflning the last N bytes of the nonsealed 
35 memory contents as the validation word W,and defining the remaining nonsealed memory contents as a 35 
vector R, whose elements are the individual words of tho r^onsealed memoTy. 

Proceeding, as illustrated at step 450, the integer value F(R) la computed for the nonsealed memory 
contents represented as the vector R by means of the public function F. Next, an integer value E(W| is 
computed from the validatio n word W based upon the public encryption function E. It will be recalled that the 
40 function E is the Inverse of the function D. Thus, efW) = E(D{RR))) = F(R] only when the contents of the 40 
nonsealed memory have not been tampered with. 

The decryption process proceeds as illustrated at step 450, where the computed value F(R) is compared to 
tiie computed value EfW). If F(R) = E(W), then tiia intagnty of the nonsealed memory has been positively 
verrfied, and the gaming system flow proceeds as Illustrated at step 480. The gaming system is set to a 
45 player responsive operable mode, wherein the coin chuteand user controls are activated andthegaming 45 
system becomes playable, as illustrated at step 490. The control program contained In the nonsealsd 
memoiy is executed by the processor In the sealed portion of the circuit hoard, 210, and the gaming system 
operetion proceeds under supervision of the control program. At this point; ttie decryption and integrity 
verification procedure has been completed, as illustrated at step 500. 
50 Referring back to decision block 450, where the result of the comparison of FIR) and E(W) results in a 50 
datermiriation of inequality, the procedureal flow continues as illustrated at step 480, The gaming systam of 
Rgure 1 is set to a player nonresponshm alarm mode. The user controls become inoperative, and tho system 
proceeds to execute an alarm control program, as preferably atored In the secure sealed ROM illustrated at 
step 470. Atthta point the machine is disabled, and the operator Is Informed of the error condition. The 
55 tainted nonsealed memory dovice 1$ removed from the nonsealed socket and the operator can choose 55 
between shutting the system down, or trying an altamte norhseaied memory integrated circuit Where the 
system is shut down, the procedural flow Is ended, as illustrated at block 500. Where a new integrated circuit 
is placed in th© ROM socket 460, the decryption procedure repeats starting again at step 400 with power up. 
In either event, the tainted memory chip should be turned over to authorities for evaluation as to tampering 
QQ orsimply system or manufacturing error. 

Thus, in accfordance with the discussion of tiie Illustrated embodiment, herein, the ROM 230 In the sealed 
portion of the circuit board, 210, contains a verification program to monitor the security of the nonsealed 
portion of the circuit board 250 containing the plugged in nonsealed memory 260, The function F is a 
plublldy available function such that the signature F(R) providssa publicly available signature of the 
gg nonsealed memory contents less the validation check word W, while the encryption function C Is publicly es 
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available to provide for a publicly available encryption key check word E(W). By computing th9 validation j 
check word W uei ng a eacrat dacrypiion ksy, function D, which Is ttia invarsa of the public encryption 
function E. the Fntegrity of the entire contants of the nonsealed memory (both the validation word V\rand the 
remaininq contents) can be protected and detected in accordance with the present Invention's teachings. 
5 An example may be Ulustratlve. Presume the noncoaled memory to ba protected is an EPROM having a g 
capadty of 2048 bytes. The last 8 bytes are set aside as ttie validatian word W, and the remainder fs i 
partitioned into 408 five byte wohds (Da, 0^ D407].Denne ACS preapecrfied integers {Pu Pt» ^w) end an 
additional prespecrffed integer P4oa- Additionally, a large composite integer XNBase is prespecrfled. F(R) and 
E(W) can then bo computed as follows: 
no '10 

i=A07 

- F(R) =2 Wi '''(modulo XNBase), \ 

j = o ' 

15 15 ' j 

E(W) = W*^® (modulo XNBase). ! 

The validation check procedure can be modHIed slightly euch that if FfR) plus E(W) (modulo XNBase) equal 
20 to 0 than the integrity of the EPROM is questioned and the system goes to the alann mode. This example In 20 
Its modified format has been implemented with a BASIC language program and has been successfully tested 
on an EPROM from an electronic slot machine. The BASIC language program and EPROIVl obieiA code 
he)cdump listing are niustrated In Rgures 5a-d. While BASIC languagewaa utilized In the illustrated program 
of Figure 5, any computer programming language could be utilaed with an appropriate system. In the ; 
25 Illustrated system of Wgures 1-5, alt arithmetic operations were exact modulo (XNBase), double precision 25 
numbers exact to 1 B digits. However, other cryptographic mathematical techniques could be utilized equally 
well, and implemented in accordance with the teachings of the present Invention. 

It will be understood by those skilled in the art that other functional and operative relationships between 
the data and validation information can be used consistent with the teachings of the present invention. 
Furthermore, In performing the verification function, apwretive relationships in addition to or Inatoad of . 3^ 
comparison can be used consistent with the teachings of the present Invention. 

While there have been described above various embodiments of system and methods for guaranteeing 
tha IntegritY of the control program of agambling machine having sealed and nonsealed portions, for the 
purpose of illustrating the manner in wrtilch the invention may be used to advantage, it vvill be appreciated 
that the invention I9 not limited thereto. Accordingly, any modification* variation, or equivalent arrangement 35 
within the scope of the accompanying claims should be considered to be within the scope of the Invention. 
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4Q 1, Asystemforselectively operating in one of a plurality of modes responsive to a delermirted system 40 
Integrity oomprfsing: 

(a) a nonsecure portion Of the system having data end validation Information In a portion therein, 

(b) a secure portion of the system comprised of: 

(1 ). means for derfving a first value from the data according to a first relationship; 
4g (2) means for deriving a second value from said validation information by mBar^s of a second 45 
relationship, 

(3) means for operativety relating said first and second values to determine system integrity, 

(4) mea ns for activating said system to a seJected operational mode responshre to said means for 

operatively relating, 

KA 2. Ihe system as In aaim 1 further characterized In that said nonsecure portion comprises a memory. 50^ 

3. The system as in Claim 1 whereinthe Integrity of tfie nonsecure portion is crypto graphically verifiable, 
and the Integrityof the secure portion is noncryptographfcaily vetlfiabla. 

4. The system as in aalm 1 further charactertiod In that said vaDdeiion Information is derived from said 
data according to first and third relationships. 

55 5. The system as in Claim 4 wherein said second relationship Is the inverse of ti^a tiilrd relationship. 55 

6. The system as In Claim 1 further characterized in ti\at said means for operatively relating provides bad 
and good system integrity outputs Indicative of the detennlned system integrity. 

7, The system as in Claim 6 wherein said means for activating said system acthrates said syutsm to a first 
operational mode responsive to good system integrity output and activates said system to a second 
operations I mode to a bad system integ rity output 60 

a The system as In Claim 1 further characterized In that said system is activated to a first operational 
mode responsive to a determination of good system integrity and said system is activated to a second 
operational mode responsive to a determination of bad system integrlty. 
9. The system as in Claim 7 or 8 further characterized In that said first operatiorwl mode is a normal 
^ operational mode, and said second operational mode is an alarm mnde. 65 
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1 0. The system as in Claim 4 or 5 wherein said first and secgnd rel inlonsMps are public and dald third 
relationship is secret 

1 7. The system as In Claim 4 or 5 wherefn said first, second and third relationshipa are ana way functions. 

12. The system as In Oatm 1 wherein ddid first relotionship is further characterized tn that changing any 

5 of the data changes the firat value. g 

13. They sy^m as in Claim 1 further characterized as a gaming system. 

1 4. The system as in Oaims 1 or 2 or 3 or 4 or 5 or 6 or 7 or 8 or 1 2 farther characterized as a gaming 
syatom, 

15. The system as In Claim 10 further ciharactenzed as a gaming system. 

10 The system as In Claim ITfurthercharacterized as a gaming system* 'jO 

17. The System as in Claim 9 further charactarized as a gaming system. 

18. The system as in Claim 1 7 wherein aaid noraml operation mode Is a ptayer-rasponsive mode* 

19. The system as in Cleim 13 further characterlEsd in that said secure portion is physically sealed. 

20. A system as In Claim 1 or 13 further characterized In that said data and validation Information are 

15 loaded Into said nonsecure portion from an apparatus remotely located relative to the system. ^ g 

21. The system as in Claim 1 or 13 wherein said nonsecure portion includes a memoryr and said secure 
portion Includes a processor and a memory. 

22. The system as In Claim 1 or 13 further comprising: 

interface means for communFcating with a device external to the system, 
20 means for loading the nonsecure portion with received communleations responsK/e to the Interface 20 
means. 

23. The syetem as In Claim 22 wherein eald received communications la further characterized as satd 
data and validation Information. 

24. Thesystemas jnCldim22furthercomprising: 

25 meansforcommunicating the determined system integrity to a device external to the system* 2S 

25. The system as In Claim 1 or 13 wherein said secure portion of the system is remotely located relative 
to aa'id nonsecure portion, 

26. The system as in Claim lor 13 wherein said secure portion comprises a processor and a memory, 
wherein said processor executes mstruetlons from said secure memory to derive eald firat end second 

$0 values. 30 

27. The system as in Qaim 8 further characterized in that said first mode is a player responsive mode, 
and said second mods Is a player nonrespcnstve mode. 

28. The method as in Claim 27 wherein said second mode activates an alarm. 

29. A system for insuring the integnty of a remotely located downloaded memory comprising; 

35 (a) a controller Including encr/ption circu Itiy for deriving validation infom^tion from data by means of e 35 
first relationship and a second relationship having an tnveree, 

(b) a system, remotely located relative to s^d controller, including a memory, 

(c) means for communicating data and validation information from said controller to said remotely 
located system for storage in said memoryi 

40 (d) verification means comprised of: 40 
(1) means for deriving a fir^ vaiuefrom the data contents of the memory by said first relaflonship; 
12) means for deriving a second value from said validation information i>y said inverse relationship; 
(3) means for operetlvely relating said first and second values for providing an output f ndicath^ of 
system integerity, and 

4^ (4) means for manifesting an action responsive to said system integrity output 45 

30. The system as in Claim 29 wherein said verffication means is remotely located relative to said 
controller. 

31 . The system as in Daim SOfurther characterized in that said first reiatlonehip and Inverse second 
relationship are public and said second relationship is secret 

eo 32. ThQsystemas in Claim 30 wherein said remotely located system tea gamfng system. SO 

33. The system as in Claim 30 wherein said first; second and inverse relationships are one- way mapping 
functions. 

34. The system as in claim 30 wherein said ection id further characterized as activating eatd system to a 
norrnal operable mode responsive to an output of good eyatem Integrity, and activating said system to an 

55 alarm mode responsive to an output of bed system integrity. 55 

35. The system as in Claim 30 wherein said remotely located system is further comprised of data 
processing means, 

36. The system as h Claim 30 wherein said controller is operath^ ly coupled to sef ectrvely communicate 
with a plurel ity of remotely located systems. 

^ 37. The system as In Claim 36 further characterized in that at least one of said remotely located systen^s 60 
is a garning system, 

38. The system as in Claim 37 Wherein each of said remotety located systems is operativety configured 
responsive to communications from said controller to the respective remotely located system. 

39. A gaming system comprising : 

65 (a) a circuit board; $5 
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<b) a nonsecurepoitionofthBcircuftlMartLtheintBgrTtyofwhlchrscryp^ 
a memor/ having d9ta and validatfon Information siorecl therein, wherein the vandatfon fnformafa'on Is 
derivodfroin tha data information eccording to a puhOpfinst relartiortship and a secret eacond relationship 
having a public inverse rerationship; 
e (c) a satire portion of the circuit board having processing electronics mounted thereon, thoTnrtegrJty 5 
the secure portion being detectable, 
wherein said secure portion of the drcuh board fa lurcher comprised of: 
(1 ) meana for deriving a first value from the data omfpr« atopm according to the public ff rst 
relationship, 

10 rneansfor deriving a second vqIu9 from ealdvaildatton word by means of said public tnverae 

relationship, : • 

(3) means for operating on said first and second values to provide an Integrity signal, i 

(4) means for activating said system to a first mode responsive to a fi rst integrfty signal indicative of ! 
good system integrity, and 

15 (6) means for activating said system to a second mode responsive to a second Integrity signal ib ' 

indicative of bad system Integrity. 

40- The system as In Claim 3d wherein said secure portion is further comprised of a processor and a 
second memory. * 

41 . Tha system as in Claim 39 wherein said firstr second and Inverse second relationshtps are one-way 
20 functions. 20 

42. A system as in Claim 39: 

wherein said first relationship has the characteristic that changing the contents of said memory changes 
said first value. 

43. The stystem of Claim 39 : 
25 wherein said second relationship is a oneway trap-door function. 25 

44. A gaming cyctcm comprising: 

(a) a cabinet having a display area and a user control; 

(b) a circuit board mounted within the cabinet; 

(c) a nonsecure portion of the circuit board, the integrity of which Is cryptog raphlcally detectable, having 
30 a memory having data and validation Information stored therein, wherein the validation Irrfomation Is 30 ' 

derived* by means of a second relationship having an Inverse rdationship, from a first value derived from 
and changing according to a first relationship responshw to the data contents; 
<d) a secure pc rtlon of the circuit board having verffiably good Integrity comprising : 

(1 ) means for deriving a second value from the data contents of the first memory according to the first 
35 relationship, ^ ^ 

(2) means for deriving a third value from 6d1d validation information by moans of said inverse 
relationship, 

(3) means for providing an Integrity output responsive to opertirtg on said secor>d and third values, 

(4) means for activating said system to a first mode responsive to a f;ret Intogrity outputs and 
40 (5) means for activating said system to a second mode responsive to a second integrity output. 40 

4$. The system as In Claim 44 wherein said first Integrity output Is indicative of good systam Integrity, 
and said second integrity output is indicative of bad system intcgrrty. 
4^ The system as In Claim 45 wherein said first mode Is further characterized as activating said system 

tu a usur vonlrul raspanQive fa-yblom. 
45 47. The system as in Claim 45 or 46 wherein said second mode is further characterized as activating an 45 
alarm. 

48. Agaming system operable In a player responsive mode and an alarm mode, comprising: = 
a first memory havi ng data and validation Information content? thereln> wherein said validation 

inforrrwtion is operatively assoclatsd with the rentalning contents of the nonsecure memory 
50 a secure memory: 50* 
means for vaWdatirig the integrity of the first memory comprising: 

means for executing instructions from the secure memory so as to derive a first value operativety 
associated with the data contents of the first memory; 

means for executing Instructions from the secure manrory so as to derive a second value operatively 
55 associated with the validation Information; 55 

means for providing a good/faulty system intagrity result output responsive to operatively relating said 
first and second values; 

means for activating said gaming system to said alarm mode responsjvo to a result output of faulty cystem 
Integrity; and 

g() means For activating said gaming system to said player-responsive mode responsive to a result output of go 
good system Integrity. 

49. The system as in Claim 48: 

wherain emd first relationship has the characteristic that changing the contents of said first memory 
changes said first value. 

55 60. A gaming system as in Claim 48 ur 49: ^ 



PAGE 15/18 * RCVD AT 7/26/2005 5:43:29 PM [Eastern Daylight Tune] » SVR:USPTO'EF](RF-6/24 * DNIS:273830<I * CSID:3127079155 ' DURATION M:D5-44 



FROM McANDREWS, HELD, & MALLOY (TUE) 7. 26' 05 16:48/ST. 16:43/N0. 4861050007 P 16 



7 GB2 121569A 7 

Wherein said valfdation information is derived from said first value, 

51. The system ds in Claim 48 wherein said first second and inverse second relationships ara one-way 
functions, 

52. A system for insuring tho Integrity of Information loaded into the system, onmprfstng: 

5 (a) a memory having Initially undefined contents; 5 

(b) means for loading data and validat'on information into the contents of the memory whisrein said data 
is related to said validation information according to a public first and a secret second ralationship; 

(c) means for verifying the integrity of the loaded contents comprising: 

(1 ) means for deriving a first value acoordrng to the first relationship responsive to the data contents of 

TO the memory, jO 

(2) meara for deriving a second value according to a public inverse of the second relationship 
responsive to the validation information, 

(3) means for opftratfvefy refatlng the first and second valuss to provide an Integrity output indicatjve 
of good and bad Integrity of the memory contents, 

15 (d) mear^ for controlling the operable status of the system further comprising: 15 
11 ) means for actrvating said system to a normal Operational mode reeponsh/e to the good integrity 
output, and 

(2) meanB for acth^ating said system to an alarm mode responsive to said bad integrity output. 

53. The system es in Claim 52: * 

20 wherein said system is a gaming system. 20 
64. The system as in Claim S3 ^rther comprising: 
an tmerface port fOr coctimunlcattng with an external device; 

means responsive to said interfiace portfor loading said memory with the communications received from 
said external device. 

2s 55. The system as In Claim 53 or 54 wherein said memory is located tn a nonsecure portion of the second 29 
systemi and said means for verifying the integrity and means for controlling the operable status are located 
in a seout-e portion of the second system. 

56. The system as In Claim 52 or 53 having user responsh^ Input means, wherein said normal 
operational mode is further characterized as being responsive to said user respondvc Input means. 
30 57. A method of controlling the operable mode of a system having a memory with data and validation 3O 
information contents, comprising the steps of: 
deriving a first value from the data contents according to a first relationship, 
deriving a second value from the validation Information according to a second relationship; 
operatlvaly relating said first and second values so asto deitsrmine system Integrity, 
35 activating the system to a selected operative mode responsive to the determined system integrity. 35 

58. TYie method as In Claim 57 further characterbsed in that said aystam ta a gaming system. 

59. The method as In Claim 97 further characterized in that said validation information is derived from 
said data content according to the first relationship and an inverse to the second relationship. 

60. The method as in Claim 59 further comprising the steps of: 

40 activating the system to a norm al operative mods responsh^e to a determination of good system integrity, 40 
and 

activating said systom 10 an alarm operative mode responsive to a determination of bad system integrity. 

61. The method as in Claim 57 or 58 further comprising thest^s of: 
making ihe first and second relationships public; 

45 maintaining the inverse to the second relationship In secrecy. 45 

62. The method as In Claim S7 or 58 further comprising the at^s of; 

deriving said first value by means of a functfon which exhibits the characteristic that changing any of the 
contents of the nonsecure memory changes the first value. 

63. The method as in Claim 62 wherein said validation Information is derived from said first value, funher 

50 comprising the steps of: 50 
determining said second value from said validation information by means of an Invert derivation to that 
by which the validation information Is obtained from the first value. 

64. A method for creating a memory having verifiable secure data contents comprising the steps of: 
deriving a first value from the data contents of the memory by a fir^ relationship wherein ohanging the 

55 contents ofthe memory Changes the first value; 65 
derivinga validation value from said first value by a second relationship havirrg an Inverse 

reldtionshipjand 
storing and validation value In said memory contents. 

65. A method of verifying the integrity of a memory having data content and valfdation value content 

QQ related to said data content by first and second relationships, comprising the steps of: 60 
deriving a first value from the data content of the memory by thefirst relationship; 
deriving a second value from said validation value by an inverse to said second relationship; 
providing an integrity output indicative of good and bad system Integrity responsive to operatively 
relating the first value and the second value; 
providing a first activation signal responsvie to said Integrity output Indicating good system integrity and 65 
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providing a second activation signal responsJve to said fntegn'ty output rndicaUng bad system Inteority. 

66. TTie method of Claim 34 or 65 wherein cold first relatfonshfp and fnveree second relationship are 
puWfc and said second raJatlonshfp is sacrot 

In a system^ having a aeaf ed secure drcuit portion comprising a processor and a ftm memory. $aid 
5 system also having an Ineacura oFrcuit portion comprising a second memory, a method of insuring the 
integrity of the insecure portion of the system compriaing the steps of; 

deriving a first value from the data content of the second memory by a first reJatiOnship wherein changing 
the contents of the second memory changes the firet value; 
derMng a vaDdation value from said ffrst value by a second relationship having an inverse reiationship 

10 

storing said vaifdation value at a predefined location in said second memory- 

69. The mcrthod as in Claim SB further comprising the scope ofr 

(a) verifying the integrity of the second memory by means of saJd secure portion, further comprising the 
steps of: ^ 

^5 (1 ) deriving a third value from the contents of the second memory by said first relationship; 

(2) deriving a fourth value from said validation value by said inverse relationship; and 

(3) operatZvely relating the third vatua to the fourth value and providing a relational output; and 

(b) controlling the operable status of the system further comprising the steps of: 

(1 ) activating said gaming system to a noimal-responeive mode rosponarve to said relational output 
20 Indicating good system Integrity, and 

(2) actwatlng the system to an alarm mode responsive to said relational output indicating bad system 
integrity. 

70. The method of Claim 68 or 69 IxJrther characterlzad In that safd first and inverse second relationships 
are public and said second relationship Is secret 

25 71, ThemethodofClalmTJOftjrthercharacterizedinthatsaldsecondmemoryesnonvoIatile. pc- 

72. The method of Claim 6fi or 69 further characterUed in that sy&tem is a gpming system, 

73. The method of Claim 69 further characterized in that said nonnai-reaponeive mode is a player 
responsive mode, and said alarm mode is a player nonresponslve mode. 

74. A method of Claim 71 wherein said step of operatively relating further comprises the steps of: 

3Q comparing the magnitude of said first and second values, and indicating said good system integrity by a 30 
relational result of equality, and indicating said bad system Integrity by a relational result of inequality. 

75. The method Of Daim 71 further characterized In that said first seqond and inverse second 
relationships are one-way mapping functions. 

76. In a gaming system, having a player responsive mode and a player nonre^onsive alarm mode, said 
33 syatem comprising a nonsecure mompry having data and validation Information, said validation information 

being operatively related to the data, said sytem also having a secure memory, a method for selectively 
activating the syatem to a predetormlned mode responsive to validating the Integrity of the nonsecure 
memory, comprising the steps of: 

(a) executing Instructions from the secure memory so as to derive a first value representative of the 
4Q contents of the nonsecure memory; 

(b) executing instructions from the secure memory so as to derhro a second value representative of the 
validation word; 

(c) operetively relating the first and second values to pro>rtde an indication of system integrity; 

(d) activating s^fd gaming eyBtam to said playar nonreaponsive alarm mode responsive to an indlcalJon 
45 of improper system integrity; 

(e) activating said gaming system to said player-responswe mode responsive to an indication of good 
system integrity. 

77. The method as in CI aim 76 further comprising the steps of; * 
deriving said first value by means of a function which exhibto the characteristic that changing any oi the 

00 contentsofthe nonsecure memory changes the first value. en 

78. The method as In Oalm 77: * 
wherein said validation word is derived from said first value, further comprising the steps of: 

determining said second value from said validation word by means of an inverse derhfation to that by 
which the validation word Is obtained from the first value. 
5g 79. The method as in Claim 76 wherein said first value Is derived by 
operatively relating said data to a first functional n>app)ng; and 

further characterized In that said validation information is operatively related to said first value according 
to a second functional mapping, 
wher&'n said second value Is derived by 
$Q operatively relating said validation Information to an inverse of said second functional mapping 
80- The method of Claim 57 or 68 or 76 further comprising the steps of: 

communicating said data and associated validation Information to the system from a source external to 
the system; 

storing said communicated data and associated validation information in said memory. 
eg 61- A method for controlling the operative mode of a system, having local and rBmote devices 
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respooslve to determined integrity of communicated Information comprising the atAps of: 

operating upon data Information at the remote device according to first and second reJationshlps to dorlvB 
valrdation informstfon, 

communicating said data and validation information from the remote device to the local device 
5 oper^ng upon said data information at the local device, accordin0 to said first relationship, to derive a c 
flrst value; ° 

operating upon said validation informarHon at said local device, according to an inverse of said second 
relationship^ to denve a second value; 

controlling the operative mode of the syatam responalva to operatively relating said flret and second 
10 vaiueq, 

e2. The method as In Claim 81 further characterised in that there are a plurality of local devices, w ^° 
the step of controlling ihe operative mode of the system ftjrther comprises the steps of: 

sal ectiveiy controlling the operative mode of each off said local devices responsive to the operstrve 
relationships for each respective first and second vatuea. 
16 83, The method 39 in Ciaim 81 further comprising the steps of r 

deriving said first value by means of a function which exhibits the characteristic that cha nging any of the 
contents of the nonsecu re memory changes the first value. 

84. The method as In Qaim 81 wherein said validation information is derived from said first value further 
comprising the steps of: 
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20 determinlngMidsecondvaluefromsaidvalidaUoninformationbym^^ 
by which the validation word is obtained from thefiratvalue. 

85. The method as in ClaJm 81 further characterized fn that said fi ret and inverse second funcdonal 
relationships are public, and said second functional relatiooahip Is secret 
8$. The method as In Claim 8l or 85 further characterized In that saldfirat, second and Inverse second 
25 funclional relationships are one-way functions, 

87, A syatem for $electively operating In one of a plurality of modea responsive to a d etermlned system 
Integrity substantially as herein described with reference to the accompanying drawings. 

OT. A system for Insuring the integrity of a remotely located downloaded memory substantially as herein 
described with reference to the accompanying drawings. 
30 89. A gaming system substantially as herein described with reference to die accompanying drawings. 30 

90. A gaming system operable in a player responsive mode and an alarm mods substantlany as herein 
dflscnbed with reference to the accompanying drawings, 

91 . A systsm for insuring the Integrity of information loaded Into the system substantially as herein 
described writh reference to the accompanying drawings. 

35 02. A method of controlling the operable mode of a system having a memory vWth data and validation 
information contents substantially as herein described with reference to the accompanying drawings. 

93. A method for creating a memory having verifiable secure data contents substantia lly as herein 
described with raference to the accompanying drawings* 

94. A method for verifying the integrity of a memOfy having data content and validaton value content 

40 related to said data content by first and second relationships substantially as herein described with reference 40 
to the accompanying drawings. 

85- In a system, having a sealed secure drcult portion comprising a processor and a first memory, said 
system also having an Insecure circuit portion Comprising a second memory, a method of insuring the 
Integrity of the Insecure portion of the aystem subatantially as herein described with reference to the 

45 accompanying drawings. 

96. In a gaming system, having a piayer responsive mode and a player nonresponsive alarm mode, said 
system comprising a nonsecure memory having data and validation information, said validation information 
being operatively related to the data, said system also having a secure memory, a method for selectively 
activating the system to a predetermined mode responsive to validating the integrity of the nonsecure 

50 memory, substantially as herein described with reference to the accompanying drawings, so 

97. A method for controlling the operathre mode of e ayatem, having local and remote devices 
responsive to determined integrity of communicatad Infom^'on substantially as herein described with 
reference to the accompanying drawings. 
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